Cloud computing - the calm before the storm

Leon Ward, senior security engineer at Sourcefire, looks at the challenges that companies are facing when they consider moving to the cloud for the first time.

Enterprises across the world are hunting down the best way to scale their computing capability, and finding ways to work smarter has become increasingly important in today's cost controlled market.

IT departments searching for a solution often demand that the infrastructure has to be quick, cheap and dynamic and this is one of the reasons that cloud computing is being touted as a potential corporate game changer.

Cloud computing has been described as arguably the third revolution of IT, following the personal computer and internet revolutions. But like most revolutions, progress towards widespread acceptance of the new regime is likely to take some time, amid suspicion, a lack of confidence, wise scepticism and some false starts.

Many CIOs are in the process of moving applications and services into the cloud. Some are considering cloud-based computing due to economic reasons, while others are looking to create new dynamic IT services.

Regardless of the reasons, with organisations contemplating moving to a cloud environment, many are forgetting a potentially fatal element: security. Before an IT director can make a clear sensible decision about a future cloud strategy, let's investigate where some risks lie, and work out where responsibility and accountability falls.

Ensuring a security evaluation is undertaken is a ‘must do'. Never simply assume that a service provider's security is up to scratch. It must be checked. Matt Watchinski, Sourcefire's director of vulnerability research team, endorses this view.

He says that as more and more enterprises and organisations move their applications to SaaS platforms, one provider is bound to fail miserably. We haven't seen the major compromise, but this risk has to be on the horizon. So with storm clouds ahead, who is going to be in the dock when there is a failure?

An understanding of accountability needs to be clear. Businesses using these types of services need to make sure they understand who is responsible for fixing these problems when they crop up, and who is legally accountable for the data loss. Outsourcing your data to the cloud does not equate to outsourcing the risk, if your cloud provider was responsible for the loss of your customer's data, you could still find yourself accountable.

Is your data safe?

So why does all this matter? Using a public cloud for all or part of your IT infrastructure means trusting a third party to store your confidential records, and provide services that are likely to be essential to your business. Critical information is the modern enterprise's equivalent to the crown jewels.

It has immense value to that organisation, and you don't want to be the individual to lose any of it. When a large amount of data comes together, its value and risk to loss increases substantially.

In many ways this can be easily compared to currency. We are generally happy to walk around with £100 in our wallet, but carrying £10,000 would make us a little more nervous. Instead we keep our personal savings somewhere ‘safe' and make informed decisions about where we select that safe place to be.

No matter how good a lock I place on my front door, like most of the world I choose to outsource this protection and keep my savings in a bank rather than trying to do a better job securing it myself, say in an old mattress in the loft. We need to adopt the same instinct with our data, because there is a big difference between 100 and 10,000 customer records.

Society understands that money is safer being stored in a bank than at home primarily due to the economies of scale involved in its protection. Banks are not only looking after my life savings, they are doing the same for many other people and therefore need to invest wisely to ensure huge quantities of cash is kept safe. This safety and protection is core to their operation in the market.

A similar argument is made by cloud computing vendors about the safety of your information stored offsite in a shared cloud. However just like in a bank, the aggregation of vast quantities of data in their environment makes it a far more attractive target to those with nefarious goals. So should you trust your company's data in a shared cloud the same way as you likely trust your valuables in a bank?

Well, let's look at the general reasons why society puts faith in bank security over trying to protect things ourselves:

Accountability for loss: If my bank is robbed or burgled, my investment with them is still safe because of the bank's insurance.

Survived the test of history: Banks have been around for a very long time, and so have experienced all manner of attempts to steal from them. Overall the majority have done a good job of keeping things safe and secure.

Heavy Regulation: All banking organisations must follow strict codes of conduct when it comes to adequate protection of my deposits from theft.

These points are not necessarily true for the protection of our critical information in an external shared cloud infrastructure. This therefore raises some open questions about the guarantees to the safety of that data, and potentially your own crown jewels.

The impact of failure

Serious failures within a cloud infrastructure can have repercussions that reach much further than within a single enterprise. When Google's Gmail service suffers an outage I know that I'm not the only one feeling pain, but on the positive side I know that I won't be missing many important emails because the outage will likely prevent most of the Gmail users I know from sending anything to me!

Google so far has a positive track record and has earned a good reputation for service uptime. Sure it's had some outages, but overall it's been satisfactory.

Unfortunately the same cannot be said for all providers. Last year, after a major server outage, thousands of users of the Sidekick mobile phone and messaging service were warned that their personal data and photos had ‘almost certainly been lost'. Over a week later Microsoft, owner of the cloud-computing provider Danger, confirmed that they had managed to recover ‘most, if not all the customer data'.

This example publicly highlights the potential danger of entrusting personal data to the cloud, but it doesn't mean there's a major design flaw in the cloud-computing concept. It is implementation specific, but it negatively impacts confidence in the whole market.

On the positive side, cloud service providers typically have more resources to put into security and reliability than most businesses, and far more than a small business. Where would you prefer your sensitive, client and internal data were stored? Public clouds advertise a robust, highly physically secure data centre.

Additionally there should be a team of onsite security experts focused on protecting that information stored. Compare this to the alternative of the data being stored on a laptop that is continually moving around and being accessed in different locations. The data centre now seems the smart choice, but don't forget you are handing over your information to someone else, and therefore losing direct control over it.

Compliance matters

Those considering a move to the cloud need to consider how their market is regulated. Strict codes of conduct apply to many businesses and in some cases, regulations might stipulate that personal data has to remain within a specific country, thus ruling out the use of certain providers who distribute data globally.

In some situations the storage and processing of information away from a user or the enterprise is seen as a real advantage. A good example of this would be in a government, military or other high-security environment. Because of this advantage I expect to see some near-term implementations of government controlled and designed community cloud infrastructures.

If those who are accountable for potential data loss are in control of the cloud constructed to protect it, many of my concerns dissipate and central responsibility can be re-established around critical information that has traditionally been distributed. Imagine a world where DVDs of sensitive data are no longer lost in the post; they are simply re-referenced within the cloud.

Make sure your house is in order

If the idea of storing and working with your critical data in a shared external infrastructure looks attractive in terms of cost metrics, before looking for a provider it is clear that some research needs to be undertaken.

Firstly, you need to prepare a list of mandatory security controls that you demand around the data you consider most sensitive, and then come up with suggestions of how a provider could potentially demonstrate these controls to you in action. Only then start to research the providers that believe they can meet the demands you place on your data.

This should be part of any due diligence process. As the service consumer you should be in control of your data wherever it is, and you should have the ability to demand that any provider can prove their security capability, as it is likely that you will ultimately be accountable for a breach.

Find out who you call if there is a problem and details around what service you can expect. In times of crisis you need guarantees that it will be prompt and responsive. The cloud provider needs to be transparent.

If you have performed in-depth research before looking at service offerings you should understand the problems that face cloud providers. Never be scared to call foul when you see a complex problem with an over simplified solution. It's a cliché, but if it sounds too good to be true, it probably is. Always make sure you keep the horror show that is accountability in mind. Out of sight should never mean out of mind.

SC Media UK arms cyber-security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.